Infosec Guide: Defending Against Man-in-the-Middle Attacks

The network infrastructure serves as the main method by which users within an organization communicate and share information. This makes it a particularly lucrative target for cyber criminals who want to infiltrate the organization to retrieve data or disrupt processes.

A Man-in-the-Middle (MitM) attack is a type of attack that involves a malicious element “listening in” on communications between parties, and is a significant threat to organizations. Such attacks compromise the data being sent and received, as interceptors not only have access to information, they can also input their own data. Given the importance of the information that goes back and forth within an organization, MiTM attacks represent a very real and potent threat that IT professionals need to be able to address.

To be able to mitigate MiTM attacks, it is important to understand the different techniques that cybercriminals use against individual users and organizations, as it will help IT professionals identify an ongoing attack.

Address Resolution Protocol (ARP) Cache Poisoning

The Address Resolution Protocol (ARP) is a communications protocol used to resolve network addresses (such as IPV4 and IPV6) and physical ones (such as a MAC address) via the data link layer. A host will need to send an ARP request to the TCP/IP network to obtain a physical address. However, due to the unsecure nature of the ARP, it is vulnerable to MiTM attacks using a technique called ARP Spoofing.

The ARP lacks an authentication protocol, allowing an attacker to send spoofed or fake ARP messages to the Local Area Network (LAN). The objective of these attacks is to essentially map the attacking MAC address to the IP address of the target host, resulting in the interception of all traffic meant for the target host. The attacker can use the intercepted data for malicious purposes, such as spying or even modifying the communication between the parties involved.

Mitigation:

Adding static ARP entries into the cache is one method of mitigating ARP cache poisoning attacks. This method prevents attackers from using ARP requests and replies as the devices in the network will rely on the local cache instead. However, this technique might not be feasible for larger organizations, as each system in the network will need be configured manually.

SSL and TLS protocols use web encryption to provide secure network communication. The most common type of SSL protocol, and the one most often encountered by regular users, is HTTPS. This protocol consists of communication over the traditional Hypertext Transfer Protocol (HTTP), but is protected via encryption through SSL and TLS. While these protocols provide greater protection for network communication, they can still be vulnerable to MiTM attacks. Many users often do not use “https” when trying to access a website, as they will first connect to the unsecured HTTP site before being redirected to the HTTPS site. An attacker can compromise this step via connection hijacking attacks, which can be pulled off by using tools such as sslstrip, which strips the website of its SSL protocols

Mitigation:

The HTTP Strict Transport Security (HSTS) is a security mechanism sent through special response headers that can protect against MiTM attacks by only allowing websites to be accessed through TLS or SSL. This cuts out the vulnerable portion of website access by bypassing connection via HTTP. IT Professionals should look into implementing HSTS as a standard part of their security policies, as it greatly enhances website security, preventing MiTM incidents for both the organization and their website visitors.

For regular users, always verify if a website is secure by checking the URL bar for a (green) lock icon before typing any sensitive data like password. A (green) lock icon means the traffic to the website is encrypted with a legitimate certificate.

Domain Name Server (DNS) Spoofing

Spoofing is another common type of attack, and refers to an attacker impersonating the victim’s identity to trick the network into the believing the legitimacy of the attacker’s profile. Cyber criminals often use spoofing tactics to infiltrate networks, allowing them access to restricted data and information.

Spoofing can take many different forms. Domain Name Server (DNS) spoofing is commonly used in Man in the Middle Attacks. A DNS spoofing attack happens when an attacker uses weaknesses in the DNS software, often by injecting a “poisoned” DNS entry into the DNS server’s cache. This causes it to return an incorrect IP address, which is often a compromised website used by the attacker for different purposes such as phishing attacks. DNS spoofing can be difficult to detect, as cybercriminals will often create malicious websites that resemble legitimate ones.

Mitigation:

DNS spoofing can be difficult to detect for users who are unaware of this type of attack. IT professionals can help protect their network's users by regularly clearing the DNS cache of local machines and network servers. In addition, users of Microsoft-based systems can look into utilizing Domain Name Security System Extensions (DNSSEC), which are a suite of extensions that tighten DNS security by providing features such as origin authority, data integrity, and authenticated denial of existence. DNSSEC is particularly effective against DNS spoofing attacks.

Trend Micro Solutions

Protecting the network from MiTM attacks requires a multistep approach that combines different mitigation techniques and security solutions.

In addition to these best practices, organizations should also look into solutions that can provide multi-layered solutions that can protect the network across all levels.

Trend Micro protects enterprises and small to medium sized businesses against network attacks via our Trend Micro Smart Protection Suites and Network Defense solutions. These solutions provide a comprehensive layer of protection through inspection of email headers, social engineering tactics, and forged behaviors, as well as the detection of other network related attacks.

2019 SECURITY PREDICTIONS

Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape.View the 2019 Security Predictions